registry  /  create-weld-app  /  0.9.0

create-weld-app@0.9.0

Create a new WELD app — npm create weld-app

AI Security Review

scanned 1d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The user-invoked CLI writes a WELD/Vite starter project and installs its declared dependencies in that project.

Static reason
One or more suspicious static signals were detected.
Trigger
User explicitly runs create-weld-app.
Impact
Creates files in the selected new project directory and invokes npm there.
Mechanism
Project scaffolding plus fixed-command npm install.
Rationale
Static signals reflect normal behavior for a user-invoked app generator. Source inspection shows a fixed npm install after writing a local starter project, with no lifecycle execution or malicious data/control flow.
Evidence
package.jsondist/index.js<user-project>/package.json<user-project>/index.html<user-project>/vite.config.ts<user-project>/tsconfig.json<user-project>/src/main.tsx<user-project>/src/styles.css<user-project>/src/App.tsx<user-project>/README.md<user-project>/.gitignore<user-project>/public/weld.png
Network endpoints2
weld-docs.vercel.applocalhost:5173

Decision evidence

public snapshot
AI called this Clean at 97.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall, install, or postinstall lifecycle hooks.
    • dist/index.js runs only through the declared create-weld-app bin.
    • dist/index.js scaffolds a user-named project beneath process.cwd().
    • The only child process is fixed-string npm install with cwd set to that new project.
    • No credential/env harvesting, dynamic code loading, destructive operations, or agent-control writes found.
    Behavioral surface
    Source
    ChildProcessFilesystemShell
    Supply chain
    UrlStrings
    Manifest
    NoLicense
    scanned 1 file(s), 11.5 KB of source, external domains: weld-docs.vercel.app

    Source & flagged code

    2 flagged · loading source
    dist/index.jsView file
    3// src/index.ts L4: import { execSync } from "child_process"; L5: import { mkdir, writeFile } from "fs/promises";
    High
    Child Process

    Package source references child process execution.

    dist/index.jsView on unpkg · L3
    322try { L323: execSync("npm install", { cwd: dest, stdio: "inherit" }); L324: } catch { L325: console.log(` L326: ${c.dim("(run npm install manually)")}`); L327: }
    High
    Runtime Package Install

    Package source invokes a package manager install command at runtime.

    dist/index.jsView on unpkg · L322

    Findings

    3 High4 Low
    HighChild Processdist/index.js
    HighShell
    HighRuntime Package Installdist/index.js
    LowScripts Present
    LowFilesystem
    LowUrl Strings
    LowNo License